b'INFORMATION\nSECURITY\n\nEvaluation of GAO\xe2\x80\x99s\nProgram and\nPractices for Fiscal\nYear 2012\n\n\n\n\n                OIG-13-2\n\x0c           Office of the Inspector General\n       U.S. Government Accountability Office\n                  Report Highlights\n\nFebruary 2013\n\n\nINFORMATION SECURITY\nEvaluation of GAO\xe2\x80\x99s Program and Practices for Fiscal\nYear 2012\nWhat We Found\nThe Federal Information Security Management Act of 2002 (FISMA)\nrequires that each federal agency establish an agency-wide information\nsecurity management program for the information and information\nsystems that support the agency\xe2\x80\x99s operations and assets. GAO is not\nobligated by law to comply with FISMA or Executive Branch information\npolicies, but has adopted them to help ensure physical and information\nsystem security. Our prior year evaluations have shown that GAO has\nestablished an overall information security program that is generally\nconsistent with the requirements of FISMA, OMB implementing guidance,\nand standards and guidance issued by the National Institute of Standards\nand Technology. For example, GAO has well defined operational and\ntechnical controls for remote access to its network. Its telecommunications\npolicy requires users to sign rules of behavior and user agreements that\nacknowledge their responsibility and accountability. GAO also has a\nprocess for reporting and disabling lost or stolen devices to prevent\nunauthorized access. In addition, GAO has continued its focus on closing\nprior year security-related recommendations.\nOur fiscal year 2012 limited evaluation reinforced our prior conclusion.\nHowever, using 18 new FISMA reporting metrics for federal inspectors\ngeneral, we identified areas for improvement in the contingency planning\nprocess. We also identified resource challenges that affect GAO\xe2\x80\x99s ability\nto implement security upgrades and strategies identified by GAO\nmanagers and the OIG.\n\n\nWhat We Recommend\nTo help strengthen GAO\xe2\x80\x99s overall information security program, we\nrecommend that the Chief Information Officer take the following two\nactions: (1) implement measures to increase the redundancy and\navailability of GAO mission-essential applications and (2) develop and\nprovide, for GAO senior management consideration, a proposed strategy\nto ensure power redundancy to GAO servers and provide a long-term\nalternate power supply in the event of a power outage. GAO concurred\nwith our recommendations.\n\n\n\n\n                                                OIG-13-2 Information Security\n\x0c                                               United States Government Accountability Office\n\n\n\nMemorandum\nDate:        February 13, 2013\n\nTo:          Comptroller General Gene L. Dodaro\n\nFrom:        Inspector General Adam Trzeciak\n\nSubject:     Information Security: Evaluation of GAO\xe2\x80\x99s Program and Practices for\n             Fiscal Year 2012\n\nWe have completed a limited-scope, independent evaluation of the effectiveness of\nGAO\xe2\x80\x99s information security program and practices for fiscal year 2012 as prescribed\nby the Federal Information Security Management Act of 2002 (FISMA).1 FISMA\nrequires federal agencies to develop, document, and implement an agency-wide\ninformation security program to provide security for the information and information\nsystems that support their operations and assets, including those provided or\nmanaged by another agency, contractor, or other source. In addition, each agency is\nrequired to have an annual independent evaluation of its information security\nprogram and practices, including control testing and compliance assessment, which\nis to be performed by the agency Inspector General (IG) or by an independent\nexternal auditor. GAO is not obligated by law to comply with FISMA or executive\nbranch information policies, but has adopted them to help ensure physical and\ninformation system security.\n\nOur prior year evaluations have shown that GAO has established an overall\ninformation security program that is generally consistent with the requirements of\nFISMA, OMB implementing guidance, and standards and guidance issued by the\nNational Institute of Standards and Technology (NIST).2 Our fiscal year 2012 limited\nreview reinforced our prior conclusion, although this year, we identified areas for\nimprovement in the contingency planning process. We also identified resource\nchallenges that impact GAO\xe2\x80\x99s ability to implement security upgrades and strategies\nidentified by GAO managers and the OIG. This report includes recommendations to\nhelp the agency more fully implement federal information security requirements for\nthese program elements.\n\n\n\n\n1\n Enacted as Title III of the E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899, 2946\n(Dec. 17, 2002).\n2\n GAO/OIG, Information Security: Evaluation of GAO\xe2\x80\x99s Program and Practices for Fiscal Year 2010,\nGAO/OIG-11-3 (Washington, D.C.: Mar. 4, 2011).; and Information Security: Evaluation of GAO\xe2\x80\x99s\nProgram and Practices for Fiscal Year 2011, GAO/OIG-12-2 (Washington, D.C.: Mar. 30, 2012).\n\n\n\n\n                                                   OIG-13-2 Information Security\n\x0cObjectives, Scope, and Methodology\n\nFor fiscal year 2012, we performed a limited FISMA evaluation of GAO\xe2\x80\x99s information\nsecurity program and practices. Specifically, we assessed GAO\xe2\x80\x99s compliance with\nthe 18 new FISMA metrics for fiscal year 2012 developed by the Department of\nHomeland Security (DHS) for reporting by executive agency Inspectors General, 3\nrather than the complete list of DHS metrics as in prior years. These metrics\nestablished minimum and target levels of performance for administration priorities\nand metrics for other key performance areas that were designed to focus federal\nagency efforts on network security. Our review included the following eight\ninformation security areas: Configuration Management, Identity and Access\nManagement, Incident Response and Reporting, Risk Management, Security\nTraining, Plan of Action and Milestones (POA&M), Remote Access Management,\nand Contingency Planning. (See attachment I.)\n\nWe also evaluated changes to GAO systems, policies, and procedures in fiscal year\n2012 that could potentially affect GAO\xe2\x80\x99s information security program. To assess\nGAO\xe2\x80\x99s performance for these areas, we analyzed the agency\xe2\x80\x99s information security\npolicies, procedures, and guidance; interviewed staff in GAO\xe2\x80\x99s Information Systems\nand Technology Services (ISTS) office; and obtained additional data and\ndocumentation from them. In addition, we reviewed the security control\ndocumentation for GAO systems using a risk-based approach. As part of our review\nof Contingency Planning, we toured the Local Area Network Operations Center\n(LOC), visually inspected electrical circuits, and physically traced power cords for\nservers to check for power redundancy. Finally, we identified actions taken in\nresponse to past FISMA recommendations and determined if any of these\nrecommendations can be closed.\n\nWe conducted this evaluation from December 2012 to February 2013 in accordance\nwith the Quality Standards for Inspection and Evaluation established by the Council\nof the Inspectors General on Integrity and Efficiency, in January 2012. Those\nstandards require that we plan and perform the evaluation to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our objectives. We believe the evidence obtained provides a reasonable\nbasis for our findings and conclusions based on our evaluation objectives.\n\nBackground\n\nTo help protect against threats to federal systems, FISMA sets forth a\ncomprehensive framework for ensuring the effectiveness of information security\ncontrols over information resources that support federal operations and assets. Its\nframework creates a cycle of risk management activities necessary for an effective\nsecurity program. It is also intended to provide a mechanism for improved oversight\n\n\n3\nU.S. Department of Homeland Security, FY 2012 Inspector General Federal Information Security\nManagement Act Reporting Metrics, (March 6, 2012).\n\n\n\n\nPage 2                                                    OIG-13-2 Information Security\n\x0cof federal agency information security programs. In order to ensure the\nimplementation of this framework, FISMA assigns specific responsibilities to OMB,\nagency heads, chief information officers (CIO), inspectors general, and NIST. OMB\nis tasked with developing and overseeing the implementation of policies, principles,\nstandards, and guidelines on information security; reporting at least annually on\nagency compliance with the act; and approving or disapproving agency information\nsecurity programs. Agency heads are tasked with providing information security\nprotections commensurate with the risk and magnitude of the harm resulting from\nunauthorized access, use, disclosure, disruption, modification, or destruction of\ninformation collected or maintained by or on behalf of the agency. Agency heads\nand CIO are tasked with developing, documenting, and implementing agency-wide\ninformation security programs. Inspectors general are tasked with conducting annual\nindependent evaluations of agency efforts to effectively implement information\nsecurity. NIST is tasked with providing standards and guidance to agencies on\ninformation security.\n\nChanges to GAO Control Environment during Fiscal Year 2012\n\nISTS did not retire any existing FISMA systems or add any new FISMA systems in\nfiscal year 2012. Therefore, the GAO FISMA inventory remained unchanged from\nfiscal year 2011. During fiscal year 2012, ISTS implemented software upgrades\nincluding Microsoft Office 2007 and Oracle 11G. We reviewed configuration\nmanagement documentation and verified that these changes were authorized and\napproved.\n\nImprovements Needed to Fully Implement Security Program\n\nGAO has established an information security program that is generally consistent\nwith federal requirements, guidance, and standards. Of particular note in fiscal year\n2012, ISTS updated procedures for managing and tracking annual security\nawareness training and role-based training to more accurately report compliance\nand ensure accountability for the required training. The recently developed\nMandatory Training Portal allows ISTS managers to track who has completed\ninformation security awareness and role-based training. It also allows portal\nadministrators to send automated e-mail notifications to those who have not yet\nsatisfied the requirement. GAO reported that awareness training compliance was at\n99 percent and the role-based training compliance was at 98 percent.\n\nGAO also has well-defined operational 4 and technical 5 controls for Remote Access\nManagement. For example, GAO has a published telecommuting policy that requires\n\n\n4\n Operational controls are safeguards or countermeasures for an information system that are primarily\nimplemented and executed by people (as opposed to systems).\n5\n Technical controls are safeguards or countermeasures for an information system that are primarily\nimplemented and executed by the information system through mechanisms contained in the\nhardware, software, or firmware components of the system.\n\n\n\n\nPage 3                                                      OIG-13-2 Information Security\n\x0cusers to sign rules of behavior and user agreements that acknowledge their\nresponsibility and accountability. GAO also has a process for reporting and disabling\nlost or stolen devices to prevent unauthorized access. We reviewed documentation\nfrom an actual lost property incident and verified that ISTS personnel followed these\nprocedures.\n\nHowever, information security threats change almost daily, requiring constant\ndiligence and oversight to mitigate possible impact on information availability,\nintegrity, and continuity. In evaluating elements of this program based on the DHS\nreporting metrics for Inspectors General (IG), we identified specific improvements\nneeded to help ensure that security requirements are fully implemented. Evaluation\nresults for these program elements are as follows.\n\nLimitations Exist in GAO Information Technology Contingency Planning\n\nGAO maintains an overall continuity program, which among other things, provides\nfor the health and safety of GAO employees, contractors, and visitors, and ensures\nGAO will be able to maintain its operational capability in the event of a disaster or\ndisruption. As a key element of this program, ISTS maintains a contingency plan that\nidentifies and centralizes processes necessary to recover GAO Network services\nfollowing a disruption that significantly degrades or disrupts network use. 6 Further,\nISTS maintains detailed procedures for specific events, such as planned 7 and\nunscheduled power outages. 8\n\nThese plans and procedures cover the GAO Network and all major applications\n(systems) located in the LOC at GAO Headquarters, and activating the plan may\ninvolve relocation of network operations to GAO\xe2\x80\x99s Alternate Computing Facility\n(ACF) located outside of Washington, D.C. However, as reported in the fiscal year\n2011 evaluation, the ACF currently provides only limited disaster recovery\ncapabilities and will require additional funding and executive support to build out the\nACF infrastructure required to fully support GAO\xe2\x80\x99s mission-essential functions,\nshould network operations become dependent on this facility. 9\n\nThe ACF is equipped with servers to run a portion of applications to support mission-\nessential functions including the Document Management/Electronic Records\nManagement System (DM/ERMS), General Counsel\xe2\x80\x99s case tracking system (GC\nTrack), the Congressional Contact System, and My Locator. However, it is important\nto note that the data on these servers are not updated in real-time and in the event\nof an emergency, any changes made since the most recent update could be lost.\n\n\n6\n GAO Network IT Contingency Plan, version 6.0 (August 2012).\n7\n Power Outage/Testing Checklist, Version 1.1 (March 10, 2011).\n8\n Checklist Emergency LOC Shutdown\n9\n Mission Essential Functions (MEFs) are defined as a limited set of department- and agency-level\ngovernment functions that must be continued after a disruption of normal activities.\n\n\n\n\nPage 4                                                      OIG-13-2 Information Security\n\x0cBased on current procedures that include nightly incremental backup of data, 10 up to\n24-hours\xe2\x80\x99 worth of data could be lost in an emergency.\n\nIn addition, although the ACF can provide \xe2\x80\x9cgo-forward\xe2\x80\x9d e-mail services (no historical\ne-mail), ISTS does not yet have processes to migrate e-mails created through ACF\noperations back into LOC e-mail servers, should normal operations resume. This\nmeans that during a disaster or disruption, GAO personnel would not be able to\naccess e-mails sent or received before the event. Further, once the event is over,\nany e-mails sent or received during the disruption may no longer be accessible. This\ncould seriously impair communication with key stakeholders, including congressional\nstaff and agency officials.\n\nOther essential applications do not currently have servers at the ACF. These\napplications include the Asset Manager, the webTA System, the Job Information\nSystem, and the Engagement Results Phase. As a result, equipment would need to\nbe procured or transferred to the ACF before any data could be loaded and restored.\nThis would likely cause significant delays in recovering IT operations after an\nemergency.\n\nIn the event of a power outage or similar disruption, ISTS personnel would have\napproximately 15-20 minutes of emergency battery power to gracefully shut down\napproximately 300 servers in the GAO Headquarters LOC. According to ISTS\npersonnel, the majority of federal agencies and private companies rely on a\ngenerator to extend that timeframe. This is consistent with NIST guidance that states\norganizations should provide a long-term alternate power supply for information\nsystems that is capable of maintaining minimally-required operational capability in\nthe event of an extended loss of the primary power source. ISTS personnel\nestimated that the cost for a generator was $2 million and deemed it to be cost-\nprohibitive. As a result, data on any server that is not shut down gracefully (i.e.,\nemploying log-off procedures that often require several minutes or more) is at risk of\nloss or corruption. That risk is significantly greater on evenings and weekends when\nthe amount of ISTS staff physically on site is minimal.\n\nWe also noted that power circuits in the LOC are not redundant, which is not\nconsistent with NIST guidance and industry best practices. For example, rows of\nservers are connected to a single Power Distribution Unit (PDU). 11 If the transformer\nwithin that PDU were to fail, the entire row of servers would lose power. Similarly, we\nobserved that servers were plugged into the same circuit from a single PDU. If that\ncircuit breaker were to trip or fail, those servers would lose power. To maintain\n\n\n\n10\n  An incremental backup captures files that were created or changed since the last backup.\nIncremental backups afford more efficient use of storage media, and backup times are reduced.\n11\n  A PDU is a device designed to transform raw power feeds into lower capacity power feeds and\ndistribute that electricity to racks of computers and networking equipment located within the data\ncenter.\n\n\n\n\nPage 5                                                        OIG-13-2 Information Security\n\x0cpower redundancy, servers must be plugged into separate, independent power\ncircuits.\n\nFinally, ISTS informed us that they have not briefed members of the GAO Executive\nCommittee on the specific risks posed by a power outage or similar disruption. We\nbelieve such briefings are an essential step in the Contingency Planning process.\n\nResource Challenges Exist in GAO\xe2\x80\x99s Information Security Program\n\nResource challenges in the Information Systems Security Group adversely impact\nGAO\xe2\x80\x99s ability to implement necessary upgrades identified by GAO managers and\nour prior work. For example, one area particularly affected is ISTS\xe2\x80\x99s ability to\nsegregate responsibilities. Through interviews with ISTS personnel, we learned that\nstaff have collateral duties that often pose competing priorities. For example, the\nInformation System Security Officer (ISSO) is primarily responsible for ensuring\nimplementation of system-level security controls and maintaining system\ndocumentation. However, the ISSO has also been assigned responsibility for audits\nand compliance. Similarly, engineering staff periodically have to perform monitoring\nduties or monitoring staff have to perform engineering duties. Further, the director\nfrequently performs operational duties that take time away from management and\nstrategic activities.\n\nDuring our fiscal year 2011 evaluation, ISTS sometimes attributed competing\nresource needs as a cause for delayed correction of information security weakness.\nOMB and NIST guidance requires agencies to identify vulnerabilities, establish\npriorities, and assign staffing or financial resources required to resolve a weakness.\nWe believe that estimating the resources needed to correct a weakness could aid in\nmanaging the overall remediation process.\n\nStatus of Prior Recommendations\n\nDuring fiscal year 2012, to implement recommendations made in our FISMA\nevaluation for fiscal year 2011, ISTS took the following actions:\n \xe2\x80\xa2   Integrated an enterprise risk management program into its Information\n     Technology Investment Committee governance and oversight process.\n \xe2\x80\xa2   Updated GAO\xe2\x80\x99s procedures for managing and tracking annual security\n     awareness training and role based training to accurately report training\n     compliance.\n \xe2\x80\xa2   Briefed senior management on the current ACF capabilities and a strategy for\n     contingency operations at that site.\n\nDuring fiscal year 2012, ISTS continued efforts to implement the one remaining 2011\nFISMA recommendation that the CIO establish monitoring procedures that enhance\naccountability for, and management of, GAO\xe2\x80\x99s information security weakness\nremediation process by:\n\n\n\nPage 6                                              OIG-13-2 Information Security\n\x0c \xe2\x80\xa2   Ensuring that business and system owners provide, and the Information\n     Systems Security Group incorporates into the POA&M, timely updates that\n     include current estimated completion dates for all open or delayed\n     weaknesses; and\n \xe2\x80\xa2   Reconsidering the need to identify resources required to resolve a weakness,\n     including funding or other nonfunding obstacles or challenges, such as staffing,\n     that may adversely affect its remediation.\n\nIn addition, GAO continued efforts to implement the fiscal year 2009 FISMA\nrecommendations to (1) develop policies and procedures that would meet the intent\nof a breach notification policy and plan as prescribed by OMB, and (2) establish a\nprogram to provide both initial and annual refresher privacy training to GAO\xe2\x80\x99s\nemployees and managers. Implementing these two recommendations is dependent\non finalizing a GAO security incident response directive and a GAO privacy rule and\norder, respectively. We commented on draft versions of these documents. However,\nas of February 7, 2013, these documents were not final.\n\nConclusions\n\nOur prior year evaluations have shown that GAO has established an information\nsecurity program that is generally consistent with federal requirements, guidance,\nand standards. Our fiscal year 2012 limited review reinforced our prior conclusion\nand identified areas for improvement in the contingency planning process. We also\nidentified resource challenges that affect GAO\xe2\x80\x99s ability to implement security\nupgrades and strategies identified by GAO managers and the OIG.\n\nIt is essential to ongoing program effectiveness that GAO continually assess\nwhether established processes and practices are operating as intended and make\ncertain that changes in federal security requirements, guidance, and techniques are\nproactively incorporated into a formal, well-documented program. In addition, senior\nmanagement involvement in determining how the organization assesses and\nmitigates information-system-related security risks will help to strengthen the\nagency\xe2\x80\x99s overall information security program.\n\nRecommendations for Executive Action\n\nTo help strengthen GAO\xe2\x80\x99s overall information security program, we recommend that\nthe CIO take the following two actions:\n \xe2\x80\xa2   Implement measures to increase the redundancy and availability of GAO\n     mission-essential applications.\n \xe2\x80\xa2   Develop and provide, for GAO senior management consideration, a proposed\n     strategy to ensure power redundancy to GAO servers and provide a long-term\n     alternate power supply in the event of a power outage.\n\n\n\n\nPage 7                                             OIG-13-2 Information Security\n\x0cAgency Comments and Our Evaluation\n\nThe Inspector General provided GAO with a draft of this report for review and\ncomment. (See attachment II.) GAO concurred with our recommendations. The\nagency also provided technical comments that we incorporated, as appropriate.\n\nActions taken in response to our recommendations are expected to be reported to\nmy office within 60 days.\n\nWe are sending copies of this report to the other members of GAO\xe2\x80\x99s Executive\nCommittee (Chief Operating Officer, Chief Administrative Officer/Chief Financial\nOfficer, and General Counsel), GAO\xe2\x80\x99s Audit Advisory Committee, and other key\nmanagers. The report is also available on the GAO website at\nhttp://www.gao.gov/about/workforce/ig.html.\n\nIf you or your staff have any questions about this report, please contact me at\n(202) 512-5748 or trzeciaka@gao.gov. Contact points for GAO\xe2\x80\x99s Office of\nCongressional Relations and Public Affairs may be found on the last page of this\nreport. Key contributors to this report were Douglas Carney and Cathy Helm,\nDeputy Inspector General.\n\n\n\n\nPage 8                                             OIG-13-2 Information Security\n\x0cAttachment I\n\nThe following are the Department of Homeland Security\xe2\x80\x99s eighteen new fiscal year\n2012 FISMA metrics for reporting by executive agency Inspectors General. 12\n\n 2. CONFIGURATION MANAGEMENT\n 2.1.8. Software assessing (scanning) capabilities are fully implemented.\n 2.1.9. Configuration-related vulnerabilities, including scan findings, have been remediated in a\n         timely manner, as specified in Organization policy or standards.\n 2.1.10. Patch management process is fully developed, as specified in Organization policy or\n         standards.\n 3. IDENTITY AND ACCESS MANAGEMENT\n 3.1.5. Organization has adequately planned for implementation of PIV for logical access in\n        accordance with government policies.\n 3.1.8. Identifies all User and Non-User Accounts (refers to user accounts that are on a system.\n        Examples of non-user accounts are accounts such as an IP that is set up for printing. Data\n        user accounts are created to pull generic information from a database or a guest/anonymous\n        account for generic login purposes that are not associated with a single user or a specific\n        group of users)\n 4. INCIDENT RESPONSE AND REPORTING\n 4.1.8. There is sufficient incident monitoring and detection coverage in accordance with government\n         policies.\n 5. RISK MANAGEMENT\n 5.1.15. Security authorization package contains Accreditation boundaries for Organization\n         information systems defined in accordance with government policies.\n 6. SECURITY TRAINING\n 6.1.6. Training material for security awareness training does not contain appropriate content for the\n        Organization.\n 7. PLAN OF ACTION & MILESTONES (POA&M)\n 7.1.7. Costs associated with remediating weaknesses are identified.\n 8. REMOTE ACCESS MANAGEMENT\n 8.1.4. Telecommuting policy is fully developed.\n 8.1.9. Lost or stolen devices are disabled and appropriately reported.\n 8.1.10. Remote access rules of behavior are adequate in accordance with government policies.\n 8.1.11. Remote access user agreements are adequate in accordance with government policies.\n 9. CONTINGENCY PLANNING\n 9.1.8. After-action report that addresses issues identified during contingency/disaster recovery\n         exercises.\n 9.1.9. Systems that have alternate processing sites.\n 9.1.10. Alternate processing sites are subject to the same risks as primary sites.\n 9.1.11. Backups of information that are performed in a timely manner.\n 9.1.12. Contingency planning that consider supply chain threats.\n\n\n\n12\n U.S. Department of Homeland Security, FY 2012 Inspector General Federal Information Security\nManagement Act Reporting Metrics, (March 6, 2012).\n\n\n\n\nPage 9                                                       OIG-13-2 Information Security\n\x0cAttachment II\n\n\n\n\nPage 10         OIG-13-2 Information Security\n\x0c(999827)\n\n\n\nPage 11    OIG-13-2 Information Security\n\x0c                      To report fraud, waste, and abuse in GAO\xe2\x80\x99s internal operations, do one of\nReporting Fraud,      the following. (You may do so anonymously.)\nWaste, and Abuse in\n                      \xef\x82\xb7   Call toll-free (866) 680-7963 to speak with a hotline specialist,\nGAO\xe2\x80\x99s Internal            available 24 hours a day, 7 days a week.\nOperations\n                      \xef\x82\xb7   Online at: https://OIG.alertline.com.\n\n\n                      To obtain copies of OIG reports and testimony, go to GAO\xe2\x80\x99s Web site:\nObtaining Copies of   www.gao.gov/about/workforce/ig.html.\nOIG Reports and\nTestimony\n\n                      Katherine Siggerud, Managing Director, siggerudk@gao.gov,\nCongressional         (202) 512-4400, U.S. Government Accountability Office, 441 G Street\nRelations             NW, Room 7125, Washington, DC 20548\n\n\n                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800\nPublic Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149,\n                      Washington, DC 20548\n\n\n\n\n                      This is a work of the U.S. government and is not subject to copyright protection in the\n                      United States. The published product may be reproduced and distributed in its entirety\n                      without further permission from GAO. However, because this work may contain\n                      copyrighted images or other material, permission from the copyright holder may be\n                      necessary if you wish to reproduce this material separately.\n\n\n\n\n                             Please Print on Recycled Paper\n\x0c'